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Abstract 

A new algorithms for computing discrete logarithms on elliptic curves defined over 
finite fields is suggested. It is based on a new method to find zeroes of summation 
polynomials. In binary elliptic curves one is to solve a cubic system of Boolean equa¬ 
tions. Under a first fall degree assumption the regularity degree of the system is at 
most 4. Extensive experimental data which supports the assumption is provided. An 
heuristic analysis suggests a new asymptotical complexity bound c ~ 1.69 for 

computing discrete logarithms on an elliptic curve over a field of size 2”. For several 
binary elliptic curves recommended by FIPS the new method performs better than 
Pollard’s. 


1 Introduction 

Let E be an elliptic curve defined over a finite field Fq with q elements. The discrete 
logarithm problem is given P,Q^ -^(-Uj) compute an integer number 2 : such that Q = zP 
in the group E{Fq). That problem was introduced in |15l [T3] . A number of information 
security standards are now based on the hardness of the problem, see [7] for instance. Two 
cases are of most importance: q = p is a large prime number and q = 2^, where n is 
prime. For super-singular and anomalous elliptic curves the discrete logarithm problem is 
easy, that was independently discovered by several authors, see [20l[22l[8] and [231EIII26]. 
The more general are Pollard’s methods |16] . They are applicable to compute discrete 
logarithms in any finite group. In elliptic curve case the time complexity is proportional to 
field operations and the memory requirement is negligible. The method was improved 
in [EllllllTj though the asymptotical complexity bound remained. In |18] a method for 
efficient parallelization of Pollard type algorithms was provided. 
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Summation polynomials for elliptic curves were introduced in |24j . It was there sug¬ 
gested to construct an index calculus type algorithm for the elliptic curve discrete logarithm 
problem by decomposing points via computing zeroes of these polynomials. In [lOl ISl fT^ lG] 
Grobner basis type algorithms were applied for computing zeroes of summations polyno¬ 
mials or their generalisations over extension finite fields. For curves over some such fields 
the problems was proved to be sub-exponential, [3]. However no improvement for elliptic 
curves over prime fields or binary fields of prime extension degree was achieved in those 
papers. 

Based on observations in [6], it was shown in m that under a first fall degree as¬ 
sumption for Boolean equation systems coming from summation polynomials, the time 
complexity for elliptic curves over ^ 2 ^ is sub-exponential and proportional to 2'^”' 
where c = 2a;/3, and 2.376 < w < 3 is the linear algebra constant. It was there found 
that for n > 2000 the method is better than Pollard’s. The assumption was supported by 
experiments with computer algebra package MAGMA in [171125| . 

In this work we suggest computing zeroes of summation polynomials by solving a much 
simpler system of Boolean equations. The system incorporates more variables than previ¬ 
ously but has algebraic degree only 3. The first fall degree is proved to be 4. Then a first 
fall degree assumption says the regularity degree of the Grobner basis algorithm F4 is 
at most 4 as well. The assumption was endorsed by numerous experiments with MAGMA. 
The new method overcomes strikingly what was achieved in the experiments of [miss]. 

The time and memory complexity of computing summation polynomial zeroes under 
the assumption is polynomial in n. The overall time complexity of computing discrete 
logarithms on elliptic curves over 7*2^ becomes proportional to 

2C\/ nlnn 

where c = ^ 2 in 2 )b 2 ~ 1-69. Our analysis suggests a number of FIPS binary elliptic curves 
in [7] are theoretically broken as the new method starts to perform better than Pollard’s 
for n > 310. The estimate is obviously extendable to elliptic curves over Fpn for fixed p > 2 
and growing n, by using first fall degree bounds from m- The time complexity is then 
p--^, where 

2 Summation polynomials and index calculus on elliptic curves 

Let E be an elliptic curve over a field K in Weierstrass form 

+ aiXY + asY = + 02^^ + a^X + as, ( 1 ) 

For an integer m > 2 the m-th summation polynomial is the polynomial Sm in ni variables 
defined by the following property. Let xi,X 2 , ■ ■ ■, Xm be any elements from K, the algebraic 
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closure of K, then Smixi,X2, ■ ■ ■, Xm) = 0 if and only if there exist yi, 1/2, • • •, ym ^ K such 
that the points {xi,yi) are on E and 

(a^l,yi) + ix2,y2) + ■ ■ ■ + {Xn,yn) = 00 

in the group E{K), see [H]. It is enough to find S3{xi, X2, X3) then for m > 4 in any case 

Sm (xi , . . . , Xm ) — (5*772 —r (^1 ? • • • ? r—1? 5r+2(^m—r; ■ ■ ■ ? X) (2) 

where 1 < r < m — 3. The polynomial Sm is symmetric for m > 3 and has degree 
2*71-2 each its variable. S 3 was explicitly constructed in |24] for characteristic > 5 and 
characteristic 2, the latter in case of a so called Koblitz curve. In characteristic > 5 we can 
assume oi = 03 = 02 = 0 and denote A = a^, B = a^. So 

5'3(a;i,X2,X3) = (xi - X 2 )^X 3 - 2[{xi + X 2 ){xiX 2 + A) + 2B]x3 + {xiX 2 - A)'^ - 4I?(xi +X 2 ). 

We are mostly concern with characteristic 2 case and the curves recommended by [ 7 ]. So 
we can assume ai = 1 ,03 = 0 , 04 = 0 and denote B = og. Then 

S3{xi,X2,X3) = {xiX2 + X1X3 + X2X3f + X1X2X3 + B, 


see [Ml [3] . 

It was suggested in [M] to construct an index calculus type algorithm for the discrete 
logarithm problem in E[Fq) via Ending zeroes of summation polynomials. For random 
integer u, v compute an affine point R = uP + vQ = {Rx, Ry)- Then solve the equation 

<5)71+1 {xi ) .. . ) Xm ) Rx ) — O' (3) 

for Xi € V, where 17 is a subset of Fq. Each solution provides with a linear rela- 
tion(decomposition) which incorporates R and at most m point from a relatively small 
set of points in E{Fq), whose X-coordinate belongs to V and possibly an order 2 point in 
E{Fq). Then linear algebra step Ends the unknown logarithm. Two cases were considered 
in [24] • First, q is a prime number, then E is a set of residues modulo q bounded by 
for a small 5. Second, y = 2”, and f{X) be an irreducible polynomial of degree n over F 2 , 
and F 2 n = F 2 [X]/{f{X)). Then E is a set of all degree < n/m + 5 polynomials modulo 
f{X). However no algorithm to End the zeros in E of summation polynomials was sug¬ 
gested in m- In the next Section [3] we suggest producing the decomposition by solving a 
different equation system. The new system is essentially equivalent to ([3|). In case q = p^, 
where n is large, after reducing the equations over Fq to coordinate equations over Ep(Weil 
descent) the solution method is a Grobner basis algorithm. In Section 0] for p = 2 we show 
under a Erst fall degree assumption that the complexity of a Grobner basis algorithm on 
such instances is polynomial. The assumption was proved correct in numerous experiments 
with computer algebra package MAGMA. A similar assumption looks correct for odd p too 
but the computations are tedious already for p = 5. 
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3 New algorithm 


Let P be a point of order r in the group E{Fq), where E is an elliptic curve defined over Eg. 
Then Q = zP belongs to the subgroup generated by P. The discrete logarithm problem is 
given Q and P, find zmodr. In this section an algorithm for computing z is described. 

1. Define parameter m and a subset V of Eg of size around 

2. For random integer u,v compute P = uP + vQ. If P = oo, then compute z from 
the equation bz + a = Omodr. Otherwise, R has affine coordinates {Rx,Ry)- If 
Rx = xi € V, then we have a relation Q for t = 1 . Otherwise 

3. for f = 2,...,m try to compute xi,... ,Xt € V and ui,..., Ut -2 € Eg until the first 
system of the following t — 1 equations is satisfied 

S3{ui,Xi,X2) = 0 , 

S3{ui,Ui+i,Xi+2) = 0, l<i<t-3 (4) 

S3{ut-2,Xt,Rx) = 0 . 

For t = 2 the system consists of only one equation S 3 {xi,X 2 , Rx) = 0 . If non of the 
systems is satisfied repeat the step with a new R. The solutions to dH) are solutions 
to 

St+i{xi,X2,...,xt,Rx) = 0. (5) 

The reverse statement is true as well if the systems (j3|) with lower t are not satisfiable, 
see Lemma El In practical terms it is enough to solve only one system (jH) for t = m. 
The experiments in characteristic 2 presented below demonstrate that for t < m 
the solving running time with a Grobner basis algorithm drops dramatically and the 
probability of solving is relatively lower. So it may be more efficient to solve a lot 
of the systems with t < m for different R instead of one system for t = m with one 
R. One can probably win in efficiency and lose in probability. Though the trade off 
may be positive, we won’t pursue this approach in the present work as this does not 
affect the asymptotical running time estimates. 

Compute yi,... ,yt G Eg2 such that 

ixi,yi) + {x 2 , y 2 ) + ■■■ + (xt, yt) + uP + vQ = oo. (6) 

If there are yi € Fg2 \Fg, then the sum of all points {xi,yi) in Q, where y* G Fg2 \Fg, 
is a point in E{Fg) of order exactly 2 , see Lemma El So that is a useful relation 
anyway. At most |F| relations Q are necessary on the average. 

4. Solve the linear equations ([ 6 ]) and get zmodr. 
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4 Analysis 


We will show in Lemma [5] that the system Q is essentially equivalent to ([S]). Despite the 
number of variables in ([5]) is significantly larger, each equation on its own is much simpler. 
In particular, the algebraic degree of equations dU in each of the variables is only 2 in 
contrast to 2*“^ for ([5]). 


4.1 Lemmas 

Lemma 1 Let the elliptic curve E he defined over a field Eg. Let xi,...,xt G V be a 
solution to (©• Then there exist yi,... ,yt € Eg 2 such that 

{xi,yi) + {X 2 ,y 2 ) + ■ ■ ■ + ixt,yt) + R = oo. (7) 

Lemma 2 Let Rx ^ V. Assume the equations 

Si+i{xi,... ,Xi,Rx) = 0,xi,... ,Xi eV 

are not satisfiable for 2 < i < t and xi,... ,xt € V is a solution to St+i{xi,... ,xt, Rx) = 0. 
Then 

1. in dl]) assume yi,... ,ys e Eg 2 \ Eg and ys+i,... ,yt & Eg. Then 

H = {xi,yi) + ... + {xs,ys) 

is a point in E{Fg) of order exactly 2. So s = Q or s > 2. 

2. There exist ui,..., ut -2 G Eg sueh that 


Ss{ui,Xi,X2) = 0 , 

S3{ui,Ui+i,Xi+2) = 0, l<i<t-3 

S3{ut-2,Xt,Rx) = 0 . 

Proof Let’s prove the first statement of the lemma. Assume s > 0 and let 


( 8 ) 


G = {xs+i,ys+i) + • • • + {xt,yt) G E{Fg). 


Then H 
then 


—R — G G E{Fg) as well. Let cfhe a. non-trivial automorphism of Fg2 over Fg, 

+ H = oo, (fiH) = H, 


and so 2H = oo. If H = oo, then G + R = oo and so S't_s+i(x<j+i, ... ,xt, Rx) = 0. That 
contradicts the assumption. Therefore 77 is a point in E{Fg) of order exactly 2 and s > 2. 
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Let’s prove the second statement. Assume yi,... ,ys € Fq 2 \ Fg and ys+i, ■ ■ ■ ,yt G Fg, 
where s = 0 or s > 2. There are points Pi,, Pt -2 such that 

{xi,yi) +{x2,y2) +Pi = oo, 

Pi +(xj+ 2 ,yi+ 2 ) +Pi +1 = oo, l<i<t-3 (9) 

Pt -2 +{xt,yt) +R = oo. 

By the lemma assumption and the previous statement Pi,..., Pt -2 ^ oo. So P* = (uj, Uj), 
where u, € Pg. Therefore ([9]) implies ([ 8 ]). The lemma is proved. 

A variation of the first statement of Lemma [5] has already appeared in [24] . 

4.2 General discussion on complexity 

The complexity of solving a linear system of equations ([ 6 ]) is taken 0{\V\^'), where uj' = 2 
as the system is very sparse for any finite field Pg, see [28] . 

It is not quite clear how the system ([H may be resolved in case g is a large prime 
number. However, for q = p^, where n is large, a Grobner basis algorithm is applicable. 
The approach was already used in mm for solving ([3]) after it was reduced to a system of 
n multivariate polynomial equations in about n variables over Fp by so called Weil descent, 
where V may be taken any vector space of dimension k = \n/rn\ over Fp. The problem of 
generating such a system and keeping it in computer memory before solving is difficult by 
itself for m > 4 and the difficulties increase rapidly for larger m. In m it was shown that 
the complexity of solving ([3]) is sub-exponential in n under a first fall degree assumption, 
see Section 14.41 below. That assumption was supporter by a number of experiments in 
[HI [25], where the parameter m was taken at most 3. 

In this paper we suggest using a Grobner basis algorithm to solve (Uj) rather than ([3l). 
The system (jl|) for t = m is equivalent to a system of (m — l)n multivariate equations in 
[m — 2)n + km « (m —l)n variables in Fp. Under a first fall degree assumption, see Section 
[Ql and Assumption dl we show its complexity is 0[{n{m — where 2.376 < to < 3, 

that is polynomial in n. The assumption was proved correct in numerous experiments with 
MAGMA, see Section 14.5.11 We were able to solve (|4]) for t = m, and therefore m for m 
as 5,6 and some n on a common computer. For re, rre as in [13125], the solution is up to 50 
times faster and takes up to 10 times less memory in comparison with USES]. Similar to 
one can take the advantage of a block structure of the Boolean system resulted from 
()4|) . though that does not affect the asymptotical estimates. By extrapolating running 
time estimates we find that four binary curves recommended by FIPS PUB 186-4 [7] for 
re = 409, 571 become theoretically broken as the new method is faster than Pollard’s for 
re > 310, see Section 14.5.21 If the block structure of the system is not exploited and we 
extrapolate the complexity of the default Grobner basis algorithm F4, then only two FIPS 
curves for re = 571 are broken. 

In practical terms an additional effort is required in order to accelerate the decomposi¬ 
tion stage by solving ([4]) and to break the rest of the binary curves in (3. As the collecting 
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stage still significantly dominates the method running time, see Table [3l one can use almost 
unbounded parallelisation to get more efficiency. In asymptotical analysis the complexity 
of generating summation polynomials and computing their zeros to get point decomposi¬ 
tion may be neglected as it is polynomial. That significantly improves the asymptotical 
complexity bound in m , see Section 

4.3 Success probability 

We estimate the probability that 

St+i{xi,.. .,xt,Rx) = 0,xi,... ,xt gV, 

where 2 < t < m, is satisfiable. We adopt the following model. For random 2 ; the mapping 
xi,... ,xt —>■ S't+i(xi, ..., xt, z) is a symmetric random mapping from to Fg. Let K be 
the number of classes of tuples (xi,... ,xt) under permuting the entries. Then K ~ 

The probability of a solution is the probability P{q, m,t,\V\) that the mapping hits 0 G Fg 
at least once. So 

P{q, m, t, |F|) = 1 - (1 - 1/q)^ 

V|* |V|* 

« 1 - (1 - l/g)~ « 1 - e (10) 

If W ^ ^ as in OUT]. It is obvious the probability of 

solving at least one of the first t — 1 systems dU is at least P{q,m,t, |I/|). On the other 
hand, the latter is larger than the probability of solving (j4|). Therefore, we can assume 
that the probability of solving (j3|) is approximately P{q,m,t, |I^|). 

In case q = we denote the probability P{q, m, t, |F|) by P{n, m, t, k), where \ V\ = 
and p should be clear from the context. 

4.4 Solving polynomial eqnations and first fall degree assumption 

Let 


fl{xi,...,Xn) = 0 , 

f2{xi,...,Xn) = 0 , 

fm {xi, ... , Xn) — 0 , 


( 11 ) 


be a system of polynomial equations over a field K. The system (HID may be solved by first 
finding a Grobner basis gi,g 2 ,... ,gs for the ideal generated by polynomials fi, f 2 , ■ ■ ■, fm- 
If the ground field K = Fg is a finite field of q elements and we want the solutions with 
entries in Fg, then the basis is computed for the ideal generated by 

/l,/ 2 ,- ■ .,fm,xl-Xi,...,xl- Xn. 
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The solutions to gi{xi, ..., Xn) = 0 , (1 < z < s) are solutions to (fTT]l and they are relatively 
easy to find due to the properties of the Grobner basis. Several algorithms were designed 
to construct a Grobner basis. Let deg 5 denote the total degree of the polynomial g = 
g{xi,... ,Xn)- The first algorithm [ 2 ] was based on reducing pairwise combinations(S- 
polynomials) of the polynomials from the current basis and augmenting the current basis 
with their remainders. Equivalently m, one can triangulate a Macaulay matrix whose 
rows are coefficients of the polynomials niifj, where rrii are monomials and deg(mj) + 
deg(/i) < d for a parameter d. That produces a Grobner basis for some large enough 
d = do- The matrix incorporates at most < n'^ columns. So the complexity is 

of the ground field operations, where 2.376 < w < 3 is the linear algebra constant. 
Also one may solve a system of linear equations which comes from ruj/j = 0, deg(mj) + 
deg(/i) < d after linearisation to get the solutions to (fTT]) without computing a Grobner 
basis. The method is called extended linearisation(XL). The matrix of the system is es¬ 
sentially Md. For large enough d = di the rank of the matrix is close to the number of 
variables after linearisation |29j . The complexity is 0{n^ of the ground field operations, 
where 2 < w' < 3 is a linear algebra constant, which depends on the sparsity of the matrix. 
It may be that to' = 2 for a very sparse matrix in case of solving by extended linearisation. 

Numerous experiments with solving the equations (jT]) by computer algebra package 
MAGMA were done in this work. MAGMA implements an efficient Grobner basis algorithm 
F4[l]. The algorithm successively constructs Macaulay type matrices of increasing sizes, 
compute row echelon forms of them, produce some new polynomials and use them in the 
next step of the construction as well. At some point no new polynomials are generated. 
Then the current set of polynomials is a Grobner basis. The complexity is characterised 
by dpA, the maximal total degree of the polynomials occurring before a Grobner basis is 
computed. The overall complexity is the sum of the complexities of some steps, where the 
largest step complexity is bounded by 

( 12 ) 

We assume the complexity of the computation is determined by the complexity of the 
largest step. In the experiments in Section 14.5.11 the ratio between the overall running 
time and the largest step running time was bounded by ~ 3 for the number of variables 
n ~ 50. So in the asymptotical analysis below we accept (I12p as the complexity of F4. An¬ 
other Grobner basis algorithm F5[5] with the maximal total degree dpd has the complexity 
see [T]. It was implicitly assumed in [T71I15] that dp^ = dpi- 
We will use the following definition found in m- The first fall degree for (lllh is the 
smallest total degree dfj such that there exist polynomials gi = gi{xi, ..., Xn), {1 < i < m) 
with 

max*(deg-b deg/i) = d//, deg ^ 5 */* <dff 

i 

and Ylidifi 7 ^ 0 . A first fall degree assumption says dp 4 ^ < djf and that is a basis for 
asymptotical complexity estimates in m- Although not generally correct, the assumption 




appears correct for the polynomial systems coming from ([3]) and was supported by extensive 
experiments for relatively small parameters in [HIES]. This is very likely correct for Q 
as well, see sections below. 

4.5 Characteristic 2 

Let E he determined by 

+ XT = + AX^ + B, 

A,B^ F 2 ^ . Therefore, 

Sz{xi,X2,x^) = {xiX2 + X 1 X 3 + X2X^f + X 1 X 2 X 3 + B, (13) 

see Section El Let f{x) be an irreducible polynomial of degree n over F 2 and a its root 
in ^ 2 "- Then l,a,... is a basis of T 2 " over F 2 . Elements of F 2 ^ are represented as 

polynomials in a of degree at most n — 1. Let E be a set of all polynomials in a of degree 
< k = \n/rn\. Obviously, that is a vector space over F 2 of dimension k. Following [3j, 
one can dehne V as any subspace of F 2 n of dimension k. However it seems that using the 
subspace of low degree polynomials significantly reduces the time and space complexity in 
comparison with a randomly generated subspace and is therefore preferable. We attribute 
the phenomena to the fact that the set of polynomials to compute a Grobner basis is 
simpler in the former case. 

According to nniEi the equation ([3|), where Xi G V, is reducible, by taking coordi¬ 
nates (so called Weil descent), to a system of n Boolean equations in mk variables. A 
Grobner basis algorithm is applicable to find its solutions. The maximal total degree of 
the Boolean equations is at most m{m — 1). Also it was observed in [17] and proved in [TT] 
that the first fall degree of the Boolean equations coming from 

'S'm+l {xi , ■ ■ ■ , XfYii Rx ) — 0 

is at most -|- 1 . 

We consider the case m = 2 in more detail now. First we take the polynomial (I13p . 
where all xi,X 2 ,X 3 are variables in V or ^ 2 "- Following an idea in m it is easy to prove 
that the first fall degree is 4 in this case. Really, coordinate Boolean functions which 
represent S' 3 (xi, X 2 , X 3 ) are of total degree 3. We denote that fact 

degiT’j 53 (^ 1 , X 2 ,X 3 ) = 3. 

However 

degp^ xiS3{xi,X2,X3) = 3 

again because 

XiS'3(xi,X2,X3) = Xi[(xiX2 -I-X1X3 -I-X2X3)^ -I-X1X2X3 -I-B] 

32| 32| 22| 2 id 

= X]^X2 -|-X]^X3 -|-X1X2X3 -|-X;^X2X3 -t-Bxi 
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despite deg^^ + degjT’j S 3 {xi, X 2 , X 3 ) = 4. This argument does not work for S 3 {xi,X 2 , z), 
where z is a constant from ^ 2 ™. We have 


degiTj S3{xi,X2,z) = 2, 
degj7^2 xiS3{xi,X2,z) = 3, 

and degp 2 + degjT’j 5'3(xi, X 2 , z) = 3. The first fall degree for such polynomials was 
bounded by 5 in m- The experiments show it is always 4 again. Anyway at least t — 2 
of the equations in Q have the first fall degree 4. So we come up with the following 
assumption. 

Assumption 1 Let g = 2"' and 2 < m < n, k = \^~\. Also let V be a subspace of 
dimension k in F 2 n. Then dpi < 4: for a Boolean equation system equivalent to ([1]) for any 
2 < t < m. 

4.5.1 Experiments 

In this section we check Assumption [T] by experiments with MAGMA. The package im¬ 
plements the Grobner basis type algorithm F4 due to Faugere [3]. We run the algorithm 
to construct solutions for the system of Boolean equations resulted from (j3|). The system 
consists of n{t — 1) coordinate equations in n(t — 2) + kt variables and n{t — 2) + kt field 
equations are added. To simplify computations the A-coordinate Rx of a random R was 
substituted by a random element z from F 2 n. We take the parameters n,t < m,k = [n/m] 
from a range of values and solve the system for 100 random z. 

The results, where B = 1 in (USD, are presented in Table [TJ The results, where B is 
a randomly generated element from F 2 ™, are presented in Table [2] . In the columns of 
the tables the following parameters are shown: n,m,t,k = the experimental success 
probability, theoretical success probability P{n,m,t, k), maximal degree dpi of the poly¬ 
nomials generated by F4 before a Grobner basis is computed, average time in seconds for 
solving one system and overall amount of memory in MB used for solving 100 systems (j3|). 
A computer with 2.6GHz Intel Core i7 processor and 16GB 1600MHZ DDR3 of memory 
was used. The most important of all the parameters is dp^. We use the verbosity imple¬ 
mented in MAGMA for Faugere’s F4. The computation by F4 is split into a number of 
steps, where ’’step degree” is the maximal total degree of the polynomials for which a row 
echelon form is computed. The parameter is available for every step of the algorithm. If 
the ideal generated by the polynomials is unit, then ’’step degree” was always bounded by 
4. If not, that is there is a solution, then ’’step degree” was bounded by 4 for all the steps 
before the basis is computed. They were followed by at most three more steps, where ’’step 
degree” was 5,6,7 with the message ”No pairs to reduce”. At this point the computation 
stops. To fill the tables 2300 Boolean systems each of total degree 3 coming from (j3|, where 
t = m, were solved. For all of them the maximal total degree attained by F4 to compute 
a Grobner basis was exactly 4. For t < m the maximal total degree was smaller or equal 
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Table 1: Max. degree of polynomials by MAGMA and other parameters, B = \. 


n 

t = m 

k = \n/m] 

exp. prob. 

P{n, m, t, k) 

dpi 

av. sec. 

MB 

12 

6 

2 

0.00 

0.0013 

4 

2.30 

257.8 

13 

4 

4 

0.41 

0.2834 

4 

81.64 

739.8 

13 

5 

3 

0.05 

0.0327 

4 

84.65 

1597.8 

14 

4 

4 

0.10 

0.1535 

4 

79.57 

879.7 

14 

5 

3 

0.02 

0.0165 

4 

23.47 

960.2 

15 

4 

4 

0.11 

0.0799 

4 

136.70 

1457.3 

15 

5 

3 

0.05 

0.0082 

4 

300.48 

3286.9 

16 

4 

4 

0.09 

0.0408 

4 

175.72 

1657.7 

17 

3 

6* 

0.32 

0.2834 

4 

27.08 

378.1 

17 

3 

6 

0.30 

0.2834 

4 

11.41 

364.1 

17* 

3 

6 

0.36 

0.2834 

4 

12.09 

355.1 

17* 

3 

6* 

0.25 

0.2834 

4 

34.32 

693.2 


to 4. We conclude that for all values of n, m and t < m in the tables Assumption [T] was 
correct for randomly chosen 2 ; € F 2 n ■ So the assumption is very likely to be correct for any 
values of n,m,t < m. 

The method significantly overcomes what was experimentally achieved in da [25]. For 
instance, n = 21 ,m = 3,k = 7 the solution in [25| of dSj) took 6910 seconds on the average 
with 27235 MB maximum memory used. With the new method the solution of (|4|) for 
t = m, and therefore m as well, takes 133.5 seconds on the average and 2437.8 MB 
maximum memory on an inferior computer, see Table [2j 

In the last 4 lines of Table [1] we also take into account the influence of the choice of 
generating polynomial for ^ 2 ^ and the vector space V. The line with 17* means a random 
irreducible polynomial f{X) of degree 17 for constructing ^217 was used in the computa¬ 
tions. Otherwise a default generating polynomial of MAGMA or a sparse polynomial were 
used. The line with 6 * means a random subspace of dimension 6 in F 217 was used in the 
computations. Otherwise a subspace of all degree < 6 polynomials modulo f{X) was used. 
We realise the latter is preferable. 

To conclude the section we should mention that the maximal degree (regularity degree) 
generally exceeds 4 when k > l^~\ though the first fall degree is still 4. 

4.5.2 Asymptotical Complexity 

In this section an asymptotical complexity estimate for the discrete logarithm problem in 
E{F 2 n) based on Assumption [1] is derived. The algorithm complexity is the sum of the 
complexity of two stages. First collecting a system of < 2^, A: = \n/rri\ linear relations (l6|) 
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Table 2: Max. degree of polynomials by MAGMA and other parameters, random B. 


n 

m 

t 

k = \n/m] 

exp. prob. 

P{n, m, t, k) 

dpi 

av. sec. 

MB 

12 

6 

Q 

2 

0.01 

0.0013 

4 

2.52 

289.9 

13 

4 

O 

4 

0.31 

0.2834 

4 

85.30 

981.8 

13 

5 

B 

3 

0.09 

0.0327 

4 

98.81 

1633.0 

14 

4 

B 

4 

0.16 

0.1535 

4 

93.48 

1056.7 

14 

5 

B 

3 

0.03 

0.0165 

4 

41.15 

1154.2 

15 

4 

B 

4 

0.06 

0.0799 

4 

102.85 

1177.5 

15 

4 

B 

4 

0.02 

0.0206 

4 

0.4765 

64.1 

15 

4 

B 

4 

0.00 

0.0038 

4 

0.0013 

32.1 

15 

5 

B 

3 

0.03 

0.0082 

4 

174.47 

2635.4 

15 

5 

B 

3 

0.01 

0.0051 

4 

12.95 

424.9 

15 

5 

B 

3 

0.00 

0.0026 

4 

0.0339 

32.1 

15 

5 

B 

3 

0.00 

0.0009 

4 

0.0006 

32.1 

16 

4 

B 

4 

0.04 

0.0408 

4 

160.87 

1145.2 

16 

4 

B 

4 

0.01 

0.0103 

4 

0.4984 

64.1 

16 

4 

B 

4 

0.00 

0.0019 

4 

0.0014 

32.1 

17 

3 

B 

6 

0.21 

0.2834 

4 

15.80 

375.8 

19 

3 

B 

7 

0.47 

0.4865 

4 

137.32 

1812.8 

19 

3 

B 

7 

0.01 

0.0155 

4 

0.0092 

32.1 

21 

3 

B 

7 

0.12 

0.1535 

4 

133.54 

2437.8 

21 

3 

B 

7 

0.01 

0.0038 

4 

0.0095 

32.1 
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and then solving them. The probability of producing one linear relation by solving at least 
one system of multivariate Boolean equations Q for 2 < t < m is at least P{n, m, m, k) ~ 
2'^^-'^jml, see Section oi The complexity of solving by the Grobner basis algorithm 
F4 is [n(m — The estimate in [T7j was based on using a block structured Grobner 

basis algorithm, where the block size was k, rather than the standard F4. That reduced 
the asymptotical complexity of solving ([3]). We think the same approach is applicable 
to solve the equations coming from Q as well, with the block size n. That reduces the 
complexity of finding the relation to . We remark that does not affect the asymptotical 
complexity of the present method anyway as the both estimates are polynomial. Therefore 
the complexity of the first stage is 


P{n, m, m, k) 


m\ 


^rnk—'] 


-2^n^ 


(14) 


operations, where 2.376 < w < 3 is the linear algebra constant. For a; = 3 that is at most 
m!2^n^^. The complexity of the second stage is 


2 


koj' 


(15) 


where a;' = 2 is the sparse linear algebra constant. One equates (1141) and (jlSp to determine 
the optimal value m ~ for large n. The overall complexity is 

c^kuj' ^ 2^^^ 2*^^71 Inn 

^ = (2W72 • 

We now compare the values of (|14l) and (I15p for a range of n < 571 in Table [3l The 
first stage complexity dominates. For each n in the range one finds m, where the hrst stage 
complexity is minimal. The table presents the values of 

n, 2"/^ m, m!2t 


The new method starts performing better than Pollard’s for n > 310. Therefore four curves 
defined over F 2 ™ for n = 409,571 and recommended by FIPS PUB 186-4 [7] are theoretically 
broken. If only the default Grobner basis algorithm F4 is used with complexity [n(m—1)]^‘^, 
then two FIPS curves for n = 571 are broken. 

The first stage of the algorithm is easy to accomplish with several processors working 
in parallel. As the first stage complexity is dominating that significantly improves the 
running time of the method in practical terms. 
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